aws.iam-role - filter based on trust policy

Is your feature request related to a problem? Please describe. I’m currently using a c7n policy that will auto attach an IAM managed policy to every newly created role. I’d like to do attach it to only IAM roles that have a trusted policy for ec2.amazonaws.com. Since I cannot do that afaict, I have tagged my non-EC2 iam roles with notEC2 or similar.

Describe the solution you’d like I’d like a new filter that would search through the trusted policy so we can see if an IAM role has a trust relationship with a specific AWS service.

Describe alternatives you’ve considered Using the tag based approach mentioned above.

Additional context

policies:
- name: iam-attach-default-policy
  resource: iam-role
  description: |
    Attach default IAM policy triggered on the cloudtrail event name CreateRole
  mode:
    type: cloudtrail
    events:
      - source: iam.amazonaws.com
        event: CreateRole
        ids: "requestParameters.roleName"
    role: cloud-custodian
    tags:
      application: cloud-custodian
      team: sre
      env: production
    execution-options:
      output_dir: s3://bucket/cloud-custodian/output
  filters:
    - type: no-specific-managed-policy
      value: base
    - not:
      - type: value
        key: Path
        op: regex
        value: ".*aws-service-role.*"
    - "tag:notEC2": absent
  actions:
    - type: set-policy
      state: attached
      arn: arn:aws:iam::{account_id}:policy/base